diff --git a/security/apparmor/2.13.3/install.sh b/security/apparmor/2.13.3/install.sh
new file mode 100755
index 000000000..01b664313
--- /dev/null
+++ b/security/apparmor/2.13.3/install.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Copyright © 2019 by The qTox Project Contributors
+#
+# This file is part of qTox, a Qt-based graphical interface for Tox.
+# qTox is libre software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# qTox is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with qTox. If not, see
+
+
+set -e -u pipefail
+
+readonly SCRIPT_DIR=$(dirname $(readlink -f $0))
+
+if [[ $(id -u) != 0 ]]
+then
+ >&2 echo "Please run as root."
+ exit 1
+fi
+
+if [[ -z $(which apparmor_parser) ]]
+then
+ >&2 echo "AppArmor not found."
+ exit 1
+fi
+
+#NOTE: we do not need to create /etc/apparmor.d/tunables/usr.bin.qtox.d/ or
+#/etc/apparmor.d/local/usr.bin.qtox because AppArmor >2.13 support #include if
+#exists
+
+echo "Copying AppArmor files..."
+cp -v "${SCRIPT_DIR}/tunables/usr.bin.qtox" "/etc/apparmor.d/tunables/"
+cp -v "${SCRIPT_DIR}/usr.bin.qtox" "/etc/apparmor.d/"
+
+echo "Restarting AppArmor..."
+systemctl restart apparmor
+
+echo "Done."
+
diff --git a/security/apparmor/2.13.3/tunables/usr.bin.qtox b/security/apparmor/2.13.3/tunables/usr.bin.qtox
new file mode 100644
index 000000000..61323202d
--- /dev/null
+++ b/security/apparmor/2.13.3/tunables/usr.bin.qtox
@@ -0,0 +1,28 @@
+# Copyright © 2019 by The qTox Project Contributors
+#
+# This file is part of qTox, a Qt-based graphical interface for Tox.
+# qTox is libre software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# qTox is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with qTox. If not, see
+
+@{qtox_prefix} = /usr /usr/local
+
+# Allow to read & write into mounted media, etc.
+# for convenient sending & receiving of files.
+@{qtox_additional_rw_dirs} = /mnt /media
+
+# Create /etc/apparmor.d/tunables/usr.bin.qtox.d/local file to append values as
+# needed, such as:
+# @{qtox_prefix} += @{HOME}/opt/qtox
+# @{qtox_additional_rw_dirs} = /data/nfs_storage
+#include if exists
+
diff --git a/security/apparmor/2.13.3/usr.bin.qtox b/security/apparmor/2.13.3/usr.bin.qtox
new file mode 100644
index 000000000..704407c76
--- /dev/null
+++ b/security/apparmor/2.13.3/usr.bin.qtox
@@ -0,0 +1,327 @@
+# Copyright © 2019 by The qTox Project Contributors
+#
+# This file is part of qTox, a Qt-based graphical interface for Tox.
+# qTox is libre software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# qTox is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with qTox. If not, see
+
+#include
+#include
+
+# using variables in profile name is not yet recommended due to issues with
+# AppArmor tools
+# TODO: use this alternative in the future when available
+#profile qtox @{qtox_prefix}/bin/qtox {
+profile qtox /usr{,/local}/bin/qtox {
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include if exists
+
+ # Main executable
+
+ @{qtox_prefix}/bin/qtox mr,
+
+ # Other executables
+
+ #TODO: use xdg-open abstraction when it's available
+ /usr/bin/xdg-open PUx,
+ #TODO: use named profile or abstraction when it's available
+ /usr/lib/@{multiarch}/libexec/kf5/kioslave PUx,
+
+ # Additional libraries
+
+ # Allow /usr/local/lib/libtoxcore.so...
+ @{qtox_prefix}/lib/*.so* mr,
+
+ # Networking
+
+ network inet udp,
+ network inet6 udp,
+ network inet tcp,
+ network inet6 tcp,
+
+ # DBus
+
+ dbus send
+ bus=session
+ path=/org/a11y/bus
+ interface=org.freedesktop.DBus.Properties
+ member=Get
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=session
+ path=/
+ interface=org.freedesktop.DBus.Introspectable
+ member=Introspect
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/StatusNotifierWatcher
+ interface=org.freedesktop.DBus.Introspectable
+ member=Introspect
+ peer=(label=unconfined),
+
+ dbus (send,receive)
+ bus=session
+ path=/StatusNotifierWatcher
+ interface=org.freedesktop.DBus.Properties
+ member=Get
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=session
+ path=/StatusNotifierItem
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.NetworkManager
+ member=GetDevices
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ interface=org.freedesktop.NetworkManager
+ member=PropertiesChanged
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings
+ interface=org.freedesktop.NetworkManager.Settings
+ member=ListConnections
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+ interface=org.freedesktop.NetworkManager.Settings.Connection
+ member=GetSettings
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=system
+ path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+ interface=org.freedesktop.NetworkManager.Connection.Active
+ member=PropertiesChanged
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+ interface=org.freedesktop.DBus.Properties
+ member=GetAll
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/StatusNotifierWatcher
+ interface=org.kde.StatusNotifierWatcher
+ member=RegisterStatusNotifierItem
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=session
+ path=/StatusNotifierItem
+ interface=org.kde.StatusNotifierItem
+ member=Activate
+ peer=(label=unconfined),
+
+ dbus (send,receive)
+ bus=session
+ path=/MenuBar
+ interface=com.canonical.dbusmenu
+ member=GetLayout
+ peer=(label=unconfined),
+
+ dbus (send,receive)
+ bus=session
+ path=/MenuBar
+ interface=com.canonical.dbusmenu
+ member={AboutToShow,Event}
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/StatusNotifierItem
+ interface=org.kde.StatusNotifierItem
+ member={NewIcon,NewToolTip}
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/UPower
+ interface=org.freedesktop.DBus.Introspectable
+ member=Introspect
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/UDisks2/{block_devices,block_devices/*,drives,drives/*}
+ interface=org.freedesktop.DBus.Introspectable
+ member=Introspect
+ peer=(label=unconfined),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/UDisks2/{block_devices,drives}/*
+ interface=org.freedesktop.DBus.Properties
+ member={Get,GetAll}
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member=GetConnectionUnixUser
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/
+ interface=org.kde.KDirNotify
+ member={enteredDirectory,leftDirectory}
+ peer=(label=unconfined),
+
+ dbus receive
+ bus=session
+ path=/
+ interface=org.kde.KDirNotify
+ member=FilesAdded
+ peer=(label=unconfined),
+
+ dbus send
+ bus=session
+ path=/KLauncher
+ interface=org.kde.KSlaveLauncher
+ member=requestSlave
+ peer=(label=unconfined),
+
+ # Denied files
+
+ # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+ # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+ # AppArmor does not allow to distinguish "real" file vs shared memory one,
+ # so we deny this path to protect from loading exploits from /tmp.
+ deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
+ # libfontconfig bug? Should not write to root-owned dirs.
+ deny /usr/share/fonts/** w,
+ deny /var/cache/fontconfig/ w,
+
+ # System files
+
+ /usr/share/hunspell/* r,
+ @{qtox_additional_rw_dirs}/ r,
+ @{qtox_additional_rw_dirs}/** rw,
+
+ # Sensitive directory access!!!
+ # Allow navigating directories with file dialog, to access directory you
+ # can write (read) file to, for most convenience (though against maximum
+ # security). Note: this allows reading only directory contents (list),
+ # not the files itself.
+ /{,**/} r,
+
+ /dev/ r,
+ /dev/video[0-9]* rw, # webcam
+ /etc/fstab r, # file dialog
+ /etc/xdg/menus/ r, # file dialog
+ /proc/sys/kernel/core_pattern r, # for KCrash::initialize()
+ /proc/sys/kernel/random/boot_id r, # for QSysInfo::bootUniqueId(), mvoe to qt5 abstraction?
+ /run/udev/data/*:* r, # libKF5KIOFileWidgets.so -> libudev.so (KDE file dialog)
+ /sys/bus/ r, # file dialog
+ /sys/bus/usb/devices/ r, # file dialog
+ /sys/class/ r, # file dialog
+ /sys/devices/**/uevent r, # file dialog
+ /sys/devices/system/node/ r, # for ld-linux-x86-64.so -> libnuma1.so
+ /sys/devices/system/node/node[0-9]*/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
+ /usr/share/emoticons/{,**} r,
+ /usr/share/hwdata/pnp.ids r, # For OpenSUSE only?
+ /usr/share/icu/[0-9]*.[0-9]*/icudt[0-9]*.dat r, # For OpenSUSE only?
+ /usr/share/kservices5/{,**} r, # file dialog
+ /usr/share/mime/ r, # file dialog
+ /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
+ /usr/share/sounds/ r, # file dialog (alert)
+ /{,var/}run/udev/data/* r, # file dialog
+
+ # User files
+
+ # Sensitive file access!!!
+ # Allow reading & writing into $HOME, EXCEPT for dot files and directories,
+ # for most convenience (though against maximum security).
+ owner @{HOME}/ r,
+ owner @{HOME}/[^.]* rw,
+ owner @{HOME}/[^.]*/{,**} rw,
+ # QSaveFile security measures? While saving log file
+ owner @{HOME}/[^.]* l -> @{HOME}/#[0-9]*[0-9],
+ owner @{HOME}/[^.]*/** l -> @{HOME}/#[0-9]*[0-9],
+
+ owner /{,var/}run/user/@{uid}/#[0-9]*[0-9] rw, # file dialog
+ owner /{,var/}run/user/@{uid}/qTox*.slave-socket rwl -> /{,var/}run/user/@{uid}/#[0-9]*[0-9], # file dialog
+ owner @{HOME}/.cache/Tox/ w,
+ owner @{HOME}/.cache/Tox/qTox/{,**} rw,
+ owner @{HOME}/.cache/fontconfig/** rwk,
+ owner @{HOME}/.cache/qTox/{,**} rw,
+ owner @{HOME}/.cache/thumbnails/** rw, # receiving image file produces thumbnail?
+ owner @{HOME}/.config/menus/ r, # file dialog
+ owner @{HOME}/.config/menus/applications-merged/ r, # file dialog
+ owner @{HOME}/.config/qToxrc rw,
+ owner @{HOME}/.config/qToxrc.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9], # QSaveFile?
+ owner @{HOME}/.config/qToxrc.lock rwk,
+ owner @{HOME}/.config/tox/** l -> @{HOME}/.config/tox/**, # QSaveFile?
+ owner @{HOME}/.config/tox/{,**} rwk,
+ owner @{HOME}/.fonts/.uuid* rw,
+ owner @{HOME}/.fonts/.uuid.* l -> @{HOME}/.fonts/.uuid.*,
+ owner @{HOME}/.fonts/.uuid.*/ rw,
+ owner @{HOME}/.local/share/Tox/{,**} rw,
+ owner @{HOME}/.local/share/qTox/{,**} rw,
+ owner @{HOME}/.local/share/user-places.xbel r, # file dialog
+ owner @{PROC}/@{pid}/cmdline r,
+
+}
diff --git a/security/apparmor/README.md b/security/apparmor/README.md
index 39440f7ce..e45b12bcc 100644
--- a/security/apparmor/README.md
+++ b/security/apparmor/README.md
@@ -29,10 +29,13 @@ Select AppArmor profile from appropriate `security/apparmor/X` subdirectory
depending on what AppArmor version is available for your Linux distribution
release:
-- 2.13.2
- - Debian 10 (buster) (or newer)
- - Ubuntu 19.04 (Disco Dingo) (or newer)
+- 2.13.3
+ - Debian 11 (bullseye) (or newer)
+ - Ubuntu 19.10 (or newer)
- openSUSE Tumbleweed
+- 2.13.2
+ - Debian 10 (buster)
+ - Ubuntu 19.04 (Disco Dingo)
- 2.12.1
- Debian 9 (stretch) or older
- Ubuntu 18.10 or older